--Friday, March 9, 2007, 6:49:13 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:

RAG> For one, I've been a sys admin for 20 years and NEVER created a
RAG> private folder under a public folder.

Nice. What about creating "Sales Reports" folder only head of Sales
department has access inside "Sales" folder?

RAG> I mean let's debate why users get Full Control to their own
RAG> folders in the first place. That's a common scenario (it's on
RAG> nearly every network) and its almost always too many permissions.
RAG> Do I want my regular end-users changing their folder's security
RAG> permissions? No. Should any regular end-user have Full Control to
RAG> any share? No, for the same reason. These are valid, common,
RAG> security points that really do beg further discussion.

There is no actual difference between "Change" and "Full Control"
permissions for NTFS. "Change" give you ability to delete and create
objects. An ability to delete some object and create it again give you a
way to become object owner, like if you have "Take ownership" individual
permission. As an owner you always have implicit "Change permissions"
individual permission. So, you have your "Full control" without having
it. There is simply nothing more to debate here. Ownership problem was
debated for ages.

RAG> You're just making up crap up that isn't overly realistic in
RAG> the world, then going further to assume that a bonehead
RAG> administrator compounds the problem by making further insecure
RAG> decisions.

RAG> You are essentially say, "If you misconfigure your system and
RAG> make further insecure choices, someone can hack you." Duh.

Re: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues... With that said, you have something valid to say, but so far it just isn't a "security vulnerability" that people need to be aware of. ...Microsoft Windows Vista/2003/XP/2000 file management security issues ...RAG> If Alice deletes Bob's folder (which she could do in some scenarios ... As a folder owner Alice can give any permissions to Bob she wants. ...(Full-Disclosure)